What happens when a security professional falls victim to malicious AI? The consequences can be devastating, as demonstrated by our analysis of a recent high-profile breach where a Disney security engineer downloaded AI-generated artwork containing hidden malware. This sophisticated attack led to the theft of 1.1 terabytes of sensitive corporate data and resulted in criminal charges for the attacker and career devastation for the victim. We break down exactly how it happened and the critical lessons for security professionals.
After exploring this cautionary tale, we dive into comprehensive practice questions focused on CISSP Domain 2: Asset Security. These challenges take you beyond textbook scenarios into the complex realities of modern information security governance. From metadata exposure risks and virtualization security to data sovereignty compliance and privacy protection, each question tests your ability to identify the most effective security controls and strategies in diverse enterprise environments.
The questions tackle particularly relevant security challenges including proper handling of sensitive data in cloud environments, managing security risks in mobile applications, and implementing responsible data sharing practices for research purposes. We emphasize crucial principles like data minimization, appropriate anonymization techniques, and breach notification requirements across multiple jurisdictions. Each question and explanation reinforces foundational CISSP concepts while developing your critical thinking skills for real-world implementations.
Ready to accelerate your CISSP preparation? Our Bronze package provides the comprehensive self-study blueprint you need to systematically master all CISSP domains. Visit CISSPCyberTraining.com today to access our complete library of resources designed specifically to help you pass the exam on your first attempt and advance your cybersecurity career.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge Allright let's get started.
Speaker 2 (00:30):
Hey, I'm Sean Gerber with CISSP Cyber Training and
hope you all are having abeautifully blessed day today.
Today is CISSP QuestionThursday and we are going to be
providing CISSP questions forthe content that we had on
Monday, right?
So if you guys have ever beenlistening to the CISSP Training
Podcast, you know Mondays iswhen all the content comes out,
and then on Thursdays I havepractice questions that come out
(00:51):
over the content that was there.
So the ultimate goal is toprovide you content and
questions to help you pass theCISSP exam and by utilizing the
podcast, by utilizing myblueprint on CISSP cyber
training, utilizing all thesetools together, your self-study
platform is CISSP cyber training.
It's there to help you.
That's the ultimate goal inthis whole plan is to help you
(01:13):
get what you need done so thatyou can pass a CISSP and then
you can make gazillions ofdollars and move on and save the
world.
That's the goal, right.
But before we get started onthat, we wanted to talk real
quickly about an article that Isaw, and this individual, this
man, pleads guilty to usingmalicious AI software to hack
Disney employee.
So there is this gentleman bythe name of Ryan Michael
(01:35):
Mitchell Kramer, who was fromSanta Clarita, california.
He distributed malicious AI artto various people, such as
GitHub and different places likethat, and then people went and
downloaded it and because theydownloaded it, it had
unauthorized software in it.
It created a problem, right.
So it was malicious inside thisartwork and one of the
(01:56):
individuals that got it was agentleman by the name of Matthew
Van Andel.
So Mr Van Andel downloaded thissoftware on his personal
computer and in the process ofdoing so, there led to some
credentials that he had, becausehe's a security engineer led to
some credentials that he had onhis personal computer that was
(02:17):
related to Disney and thenDisney's internal systems.
So, as an engineer properlysecurity engineer he was
utilizing credentials that werebeing stored on his personal
stuff, which we all talk about.
Is that a no-no and we need towork with people and make sure
that it doesn't happen.
Now I say that it's a no-no,but we all know it's happening
out there and if you are asecurity professional, you
(02:38):
probably need to be aware thathow do you provide tools for
your people so they don't dothese things?
And Disney probably well didprovide some level of tools for
him, but and again, I'msurmising, but Disney's a big
company.
I'm sure they providedsomething.
He decided not to use that, orfor whatever reason, the
credentials were on his personalcomputer.
So what happened is then is itdown this?
(03:03):
Once Mr Kramer got a hold ofDisney, he downloaded
approximately 1.1 terabytes ofsensitive data, including Slack
messages, customer information,employee records.
So bad day for Mitchell Kramer.
He's going to be breaking bigrocks into little rocks.
It's also a bad day for Mr VanAndel.
Because of that, he was firedfrom Disney and they did a
forensics deep dive of hispersonal computer and realized
(03:23):
that he had some misconduct,probably based on their policies
, and they fired him.
And so now he is going thathe's basically saying this
wasn't me, I didn't do this.
Um, so, and this can't be true.
So since then, his family haslaunched a gofundme account
because he doesn't have a joband has lost probably all of his
employment and probably needsto get a new career, because
(03:44):
once you do this, it's prettyhard to go find employment doing
what you're doing.
So Mr Van Andel is struggling,and so is Mr Kramer now as he's
in prison, breaking big rocksinto little rocks.
So it'll be interesting to seehow this all plays out.
Mr Kramer, he did plead guiltyto federal charges of unlawfully
accessing a computer andthreatening to damage protected
systems.
Now they did threaten todestroy, to.
(04:07):
Really, if they didn't get paidthe ransom, he was going to
release the documents, which hedid, and therefore that's kind
of how I think, part of how theyfound him.
But at the end of the day,people I'm sorry if there's
people that are that stupid togo out and do stuff like this
this is just bad.
And if you're downloading stuffoff GitHub buyer beware this is
just bad.
And if you're downloading stuffoff github, buyer beware.
(04:27):
You don't know what you'regetting.
And especially now with the ai,whatever this ai artwork that
was created, um was enough totempt him into downloading it
and who knows what's in it.
So this is where we talk aboutthis.
If it's too good to be true, itprobably is, and so you need to
be very careful.
So you could.
This is a really good analogyof also how to help train your
employees.
You could take an article likethis and security awareness and
(04:48):
train and teach your employeeson the dangers of gathering
information.
You know malicious software now, especially since it's AI laced
out there on the web.
So something to consider again,man, please, guilty to using
malicious AI software to hackDisney employee.
So go check it out.
(05:08):
I think you probably enjoy itand use it as a training
opportunity.
Okay, so let's go on and let'stalk about some of the questions
for today.
Okay, again, these arequestions based on domain two of
the CISSP and let's move on andsee what we've got.
Question one your organizationstores sensitive documents in a
content management system, whilethe documents themselves are
(05:29):
protected with strong accesscontrols.
A recent internal auditrevealed that the metadata
associated with these documents,ie the author, creation date,
revision history, etc.
Contains information that couldbe exploited by attackers to
understand the organizationalstructure and, potentially,
project timelines.
What is the most, again, mosteffective way for a long-term
(05:50):
strategy to mitigate thismetadata exposure risk?
A implement stricter accesscontrols on metadata fields with
the content management system.
B regularly train users on therisks associated with metadata
and instruct them to be cautiouswhen creating documents.
C implement automated tools andprocess to sanitize or redact
(06:11):
the sensitive metadata upondocument creation or export.
Or.
D migrate or migrate allsensitive documents to a more
secure air gap storage solution.
Okay, so which is the mosteffective long-term strategy to
mitigate metadata exposure risk?
And the answer is c implementautomated tools and processes to
sanitize, redact or sensitivemetadata upon creation or export
(06:35):
.
So, again, adding more strictercontrols that's fine, but that
can also break things, and youadding the more controls doesn't
really necessarily help.
You Regularly train users.
That's an important part, butagain, that's not the most
effective, because users willmake mistakes and then migrate
all sensitive documents to amore secure air gap solution.
Yeah, that would be more secure, but it wouldn't be the most
(06:57):
effective long-term strategy.
Again, implementing any sort ofautomated tools to help
sanitize or redact these wouldbe the most important, the most
important thing you shouldprobably consider at this point.
One thing to also think aboutwith that, though, is, once you
put these tools in place, do notconsider, set and forget.
You need to go back and verifythat they're actually doing what
you want them to be doing.
(07:18):
Question two your organizationutilizes a virtualized server
environment where multipledepartments share the same
physical hardware.
One department processes highlysensitive financial data, while
the others handle lesssensitive information.
You can kind of see this iswhere it's going.
What is the most criticalcontrol to implement to prevent
data contamination orunauthorized access between
environments?
A Dedicate physical hardwareexclusively to the department
(07:41):
processing highly sensitivefinancial data.
B Implement strong localseparation using VLANs and
access controls.
C Rely on hypervisor built-insecurity features to isolate
virtual machines.
Or.
D implement robust encryptionand application level for all
sensitive financial transactions.
So each of these are very goodright.
They're all something that youmay want to consider.
(08:01):
However, dedicated physicalhardware will provide the
strongest guarantee of isolationand it does prevent any data
contamination.
So, again, separate systems arean important part, but the most
critical control.
So if you're trying to dealwith hardware issues and you
want to make sure that it'ssegregated, even though you have
VLANs and ACLs can be put inplace, the best guarantee would
(08:24):
be to have dedicated physicalhardware.
Question three your organizationoperates globally and is
subject to data sovereignty lawsin multiple jurisdictions.
You receive a legal holdrequest from the US headquarters
requiring preservation of allelectronic communications of
specific employees.
This includes those stored inyour Germany subsidiary.
Germans' data privacy laws havestrict limitations on
(08:46):
transferring personal data outof the country and require the
most specific legaljustification for such transfers
.
What is the most legally soundapproach to handle this kind of
situation?
A Immediately transfer allemployee communications to the
US.
B Inform the US legal teamabout the German data privacy
restrictions and refuse totransfer the data.
C Anonymize the employees'communications in Germany before
(09:09):
transferring them to the UnitedStates.
Or D engage with legal counselin both the US and Germany to
determine a legal permissiblescope of data preservation and
transfer, potentially involvingon-site review or anonymization
techniques.
Lots of words, but it's a reallygood one.
It's a good question.
People might bite off on numberthree, right, or I should say C
anonymize the employeecommunications.
(09:30):
What we talk about on CISSP,cyber Training we've mentioned
this over and over again isengage with legal counsel.
Okay, it's imperative that youengage with legal counsel to
ensure that you have this right.
Everybody's aligned,everybody's agreement.
It's just, I can't express itenough Legal counsel is your
friend until they're not, butyou don't want to be in that
(09:51):
situation where they're not.
Question four your organizationhas contracted with a cloud
service provider to store andprocess customer data.
The contract specifies that alldata will be processed within
your country's borders to complywith local privacy regulations.
You recently received anotification that your cloud
provider is changing itsinfrastructure and will now be
processing your data in adifferent country.
(10:11):
Hmm, what is the most criticalimmediate action?
You can take A Review thecontract's terms regarding data
processing locations and legaljurisdictions and then engage
with a provider to understandthe implications and potential
remedies.
Also, bring in legal counsel.
C Accept the change if thecloud provider assures you that
the security controls are stillrobust.
(10:32):
Yeah, trust, but verify.
C immediately terminate thecontract with the cloud provider
and mitigate your data andmigrate your data to an
alternate provider.
Or D notify your customersabout the change in data privacy
or data processing location.
Obtain explicit consent.
So some of those will workright, but the most critical
immediate action would be lookat your contract terms right,
understand legal jurisdiction,engage with the provider, bring
(10:54):
in legal counsel all thosewonderful things you need to do.
That would be your mostimmediate action.
Question five your organizationhas a policy requiring physical
destruction of hard drivescontaining sensitive data.
You utilize a third-partyvendor for this specific service
.
While the vendor provides acertificate of destruction, you
want a higher level of assurance.
What additional measures wouldprovide the most robust
(11:17):
verification of the datadestruction?
So again, the third party isnuking these different hard
drives.
What would you do?
What's the most robustverification?
Verification a conduct athorough background check and
review the certification of thedestruction vendor B implement a
process where your IT staffwitnesses the destruction at the
vendor's site.
C require the vendor to providevideo recording of the entire
(11:41):
destruction process from eachbatch of hard drives.
Or D implement your ownin-house hard drive destruction
capabilities.
So the most robust would behaving your IT staff go show up
and watch these.
That would be.
B.
That is very draconian, it'svery challenging and, yeah, I
would not want to do that.
But it is your most robust toensure that something actually
(12:04):
is occurring, that your peopleare, that they're actually
destroying what they say A video.
You could say, well, I have avideo.
Well, they could use somebodyelse's hard drive so they could
be throwing something in there.
There's ways around that, butagain, most robust is sending
people to it.
Question six your organizationanonymizes large data sets
containing customer behavior forresearch purposes.
(12:26):
While you have removed directidentifiers, you are concerned
about the potential forre-identification through
linking the anonymized data withother publicly available
datasets.
What is the most critical stepin mitigating this
re-identification risk?
Again, you do ID, you identifyor you remove the identifiers,
but they're worried aboutre-identifying using publicly
(12:48):
available information.
Answer A is increase the numberof records in an anonymized
data set.
B apply differential privacytechniques to add statistical
noise to the data whilepreserving the overall trends.
C only share the anonymizeddata with trusted research
partners.
Or D regularly review andupdate your anonymization
(13:17):
techniques based on the latestresearch on re-identification
risks.
And the answer is B applydifferential privacy techniques.
Now, these are designed tolimit the ability to re-identify
individuals in a data set andthey add statistical noise to
help kind of basically hide that.
The results I don't know.
I've heard of this.
I've never dealt with it myself.
It could be useful.
So if you really are worriedabout it and you were
substantially worried aboutre-identification, you may want
(13:38):
to research this and see ifthat's an option for you.
Question seven your organizationhas developed a mobile
application that accesses anddisplays sensitive customer
account information.
To improve the performance, theapplication caches some of its
data locally on the user'sdevice.
Okay, that's interesting.
What is the most criticalsecurity control to implement
(14:00):
regarding this cached data?
So it's caching it, so thatshould be something that would
be a bit of a flag for you.
A rely on the device's built-inoperating system security
features to protect the cacheddata.
B implement strong encryptionfor all data cache locally on
the mobile devices.
C require users to get strongpasswords or biometric
authentication on their mobiledevices.
Or D minimize the amount ofsensitive data cached locally
(14:23):
and limit the duration for whichit is stored.
Those are all really good,right.
A lot of them can be veryvaluable.
The most critical securitycontrol will be to limit the
amount of data at all you wantto just, if it's got to be
stored, limit it and the amountof time that it's on that system
to increase the performance.
And then you really need to askyourself is it really truly
increasing the performance?
(14:43):
Question eight your organizationcollects various data points
about its customers.
While each individual datapoint might be considered
sensitive, you plan to aggregatethis data for advanced
analytics.
You big $10 words there.
What is the most importantconsideration regarding
information handling and privacybefore proceeding with this
data aggregation?
So again, you have data printsthat are there that are
(15:05):
considered sensitive.
You plan to aggregate this data, put it all together for some
sort of analytics.
What is the most importantconsideration regarding this
information handling and privacy?
A ensure that all individualdata points are encrypted at
rest and in transit.
B review the data elementsbeing aggregated to identify any
potential for revealingsensitive information or
patterns.
And then that could lead tosome sort of de-anonymization
(15:27):
information or patterns, andthen that could lead to some
sort of de-anonymization.
C obtain broad consent ofcustomers for the collection and
use of their data for anypurpose, including aggregation.
And then D limit access toaggregated data to only a small
team of data scientists.
So the most importantconsideration would be B review
the data elements beingaggregated to identify any
(15:47):
potential or revealing sensitiveinferences or patterns.
Again, you want to just lookingat the data is important and
understanding about it andasking yourself what happens if
this data gets out.
Those are really key questionsyou need to ask yourself on any
time you're dealing with somesort of data aspects.
Question nine your organizationheavily relies on open source
software components in acritical application.
(16:09):
What is the most importantaspect of this asset management
specific to these OSS componentsfrom an information handling
and security perspective?
So you've got a lot of opensource stuff right.
What's the most importantsecurity aspect of the asset
management?
All right, a tracking theversion numbers and patch status
of all OSS components, which isyour open source software.
(16:30):
B ensuring that the open sourcesoftware licenses are
compatible with yourorganization's usage and
distribution requirements.
C regularly scanning these opensource components for known
capabilities and prompting andapplying necessary patches.
Or D maintaining an inventoryof all open source components
used in their, including theirorigins, licenses and known
(16:50):
vulnerabilities.
Okay, so the most importantaspect would be you need to know
what you got in yourenvironment, which means you
need to understand thecomponents, the various open
source aspects of it.
All those other areas areimportant, right.
So having your own patch status, all of those pieces can add
value, but the most importantthing is understanding what's
actually in your environmentversus not knowing it.
(17:11):
Question 10 your organizationoperates in a country with
strict data sovereignty laws.
You utilize a cloud-basedbackup service, which is the
most critical requirement foryour backup strategy when
complying with these laws.
So you have a cloud-basedbackup and you have sovereignty
laws to deal with.
A ensure the backup data isencrypted both in transit and in
rest.
B verify the cloud backupprovider has strong security
(17:32):
certifications.
C confirm that the backup datais stored and remains within the
borders of your country.
And then, d implementmulti-factor authentication for
accessing the backup service.
And the answer is C confirmthat the backup data is stored
and remains within the bordersof your country.
So all these other areas areimportant.
Encryption, certifications areall good, but you still need to
(17:54):
understand where, if you'redealing with data sovereignty
laws, where is the data stored?
And you need to confirm thatwith the provider.
Question 11 your organizationhas a policy prohibiting
employees from sharing sensitivecompany information on social
media Good point.
However, you observe employeesdiscussing general project
details and, when combined,could potentially reveal
(18:15):
sensitive insights into yourorganization.
What is the most effectivelong-term approach to mitigate
this risk?
You call you fire everybody.
No, that's not the mosteffective.
A provide a comprehensivetraining for employees on the
risks of inadvertent informationdisclosure in social media.
And then they introduced themto Sean, who was Vanessa.
No, I was Jennifer.
I was a Jennifer.
That's what I was.
(18:35):
B implement monitoring toolsand track employees on social
media activity and flagpotential violations A lot of
work.
C block employees' access toall social media platforms and
company networks Probably notgoing to happen.
Or D implement strictnon-disclosure agreements that
explicitly cover social mediaactivities.
That's not a bad idea, but themost effective would be provide
a comprehensive training withemployees on inadvertent
(18:57):
information disclosure and thenI would tag that with having an
NDA covering these social mediaactivities.
Question 12, your organizationcollects a wide range of
customer data.
You plan to use this data forvarious analytical purposes.
What is the most importantprinciple of information
handling to apply beforecommencing these analytics?
So, a wide range of customerdata.
(19:17):
You're going to do someanalytics.
What's the most importantprinciple for information
handling?
A Encrypt all the data at restin transit Good idea.
B Implement data minimizationby only retaining, processing
the data that is strictlynecessary for the specific
analytic goals.
C obtain broad consent for allpotential future uses of
collected data.
Or D pseudonymize yeah, I knowit's, I can never say that word
(19:41):
all personal identifiable or PIIdata in the data set.
So you anonymize it right,basically?
And the answer is B implementdata minimization by only
retaining and processing thedata that is strictly necessary
for specific analytic goals.
Question 13, your organizationexperiences a data breach
involving customer PII and PII.
(20:03):
I had a compliance person tellme that's not really a term
anymore and it's probably true,but we're using it.
Pii your internal incidentresponse plan mandates that you
notify customers within 60 days.
However, a new regulationspecifically jurisdiction where
some of your most effectivecustomers reside requires a
notification within 72 hours.
(20:24):
That sounds pretty standard.
What is the most compliantapproach to handle this
notification?
A follow your internal policyand notify all customers within
60 days.
B follow stricter regulationrequirements and notify the
affected customers in thatspecific jurisdiction within 72
hours and others within 60 days.
C delay notification until youhave a complete understanding of
(20:44):
the breach impact and avoidproviding inaccurate information
.
Or D notify all affectedcustomers globally within 72
hours to adhere to the moststringent requirement.
Okay, so what I would do againis D is the right answer.
Right?
You want to go to the moststringent.
However, if you didn't have agood read from your legal team
and something happened, rightwhen this thing came down at a
(21:06):
minimum, I would do the 72 hoursand then you potentially could
tell everybody else within 60days.
But it's just easier to just do72 hours and make it for
everyone.
So just something to considerat that point.
Question 14.
Your development team has useda cloud-based environment to
build and test applications thatwill eventually handle
sensitive production data.
This development environmentcurrently has weaker security
(21:28):
controls than your productionenvironment.
What is the most criticalinformation handling
requirements to implement forthis development environment?
Okay, so, most criticalinformation handling
requirements for a developmentenvironment A prohibit the use
of any real production data inthe development environment.
Use only synthetic oranonymized test data okay.
Isolate b would be isolate thedevelopment environment on a
(21:51):
separate network, a segment withrestricted access.
C mandate the use of strongpasswords for development
accounts.
Or.
D implement regularvulnerability scanning of the
development environment.
So the most criticalinformation handling would be to
prohibit the use of any realproduction data in the
development environment, useonly synthetic or made up data.
We'll say, though, sometimesthat not work and you have to
(22:11):
bring in real data, so you needto have a good plan on how
you're going to manage the realdata.
Last question your organizationwants to share a large data set
containing de-identified patientinformation with research
institution for a medical study.
What is the most criticalelement to include in the data
sharing agreement to ensureresponsible information handling
(22:34):
?
A a clause specifying thepurpose of the data sharing and
limitations on its use to thestated research objectives.
B a requirement for theresearch institute to implement
strong security controlsequivalent to your
organization's standards.
Or D a provision outlining thedata, or actually that's not, or
D it's.
Or D a provision outlining thedata, or actually that's not, or
D it's.
Or C a provision outlining dataretention and destruction
policies to be followed by theresearch institution upon
(22:56):
completion of the study, or D?
All of the above?
And the answer is D all of theabove, because each of those are
very, very good to have.
You want to have all of that.
You've got security controls,you've got data detection and
instruction, and you've gotpurpose and limitations.
Those are all really good partsand so, therefore, they are all
important.
(23:16):
Okay, I hope you all had a greatday.
Again.
Go to CISSP Cyber Training.
Look at my blog.
I've got some great stuff onthe blog.
A lot of this content goes outthere.
I've got them on YouTube.
You hear the podcast there.
You can also hear them on yourlocal podcast provider, I, apple
, spotify, whatever that mightbe, and then you can go to see
ISP cyber training and getaccess to all my content.
(23:36):
Sign up for my bronze package.
The bronze package is amazing.
You get for the least amount ofmoney possible.
You're gonna have access to getready to your self-study
program for the CISSP.
It it's a no-brainer.
It truly, truly is.
It's an awesome program.
The Blueprint will help youstep-by-step on getting ready
for the CISSP.
You can't go wrong with it.
(23:57):
You just truly can.
Okay, hope you all have a greatday and we will catch you all
on the flip side, see ya.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
Alright, let's get started.
Let's go.
Cybersecurity knowledge Allright let's get started.
Speaker 2 (00:30):
Hey, I'm Sean Gerber with CISSP Cyber Training and
hope you all are having abeautifully blessed day today.
Today is CISSP QuestionThursday and we are going to be
providing CISSP questions forthe content that we had on
Monday, right?
So if you guys have ever beenlistening to the CISSP Training
Podcast, you know Mondays iswhen all the content comes out,
and then on Thursdays I havepractice questions that come out
(00:51):
over the content that was there.
So the ultimate goal is toprovide you content and
questions to help you pass theCISSP exam and by utilizing the
podcast, by utilizing myblueprint on CISSP cyber
training, utilizing all thesetools together, your self-study
platform is CISSP cyber training.
It's there to help you.
That's the ultimate goal inthis whole plan is to help you
(01:13):
get what you need done so thatyou can pass a CISSP and then
you can make gazillions ofdollars and move on and save the
world.
That's the goal, right.
But before we get started onthat, we wanted to talk real
quickly about an article that Isaw, and this individual, this
man, pleads guilty to usingmalicious AI software to hack
Disney employee.
So there is this gentleman bythe name of Ryan Michael
(01:35):
Mitchell Kramer, who was fromSanta Clarita, california.
He distributed malicious AI artto various people, such as
GitHub and different places likethat, and then people went and
downloaded it and because theydownloaded it, it had
unauthorized software in it.
It created a problem, right.
So it was malicious inside thisartwork and one of the
(01:56):
individuals that got it was agentleman by the name of Matthew
Van Andel.
So Mr Van Andel downloaded thissoftware on his personal
computer and in the process ofdoing so, there led to some
credentials that he had, becausehe's a security engineer led to
some credentials that he had onhis personal computer that was
(02:17):
related to Disney and thenDisney's internal systems.
So, as an engineer properlysecurity engineer he was
utilizing credentials that werebeing stored on his personal
stuff, which we all talk about.
Is that a no-no and we need towork with people and make sure
that it doesn't happen.
Now I say that it's a no-no,but we all know it's happening
out there and if you are asecurity professional, you
(02:38):
probably need to be aware thathow do you provide tools for
your people so they don't dothese things?
And Disney probably well didprovide some level of tools for
him, but and again, I'msurmising, but Disney's a big
company.
I'm sure they providedsomething.
He decided not to use that, orfor whatever reason, the
credentials were on his personalcomputer.
So what happened is then is itdown this?
(03:03):
Once Mr Kramer got a hold ofDisney, he downloaded
approximately 1.1 terabytes ofsensitive data, including Slack
messages, customer information,employee records.
So bad day for Mitchell Kramer.
He's going to be breaking bigrocks into little rocks.
It's also a bad day for Mr VanAndel.
Because of that, he was firedfrom Disney and they did a
forensics deep dive of hispersonal computer and realized
(03:23):
that he had some misconduct,probably based on their policies
, and they fired him.
And so now he is going thathe's basically saying this
wasn't me, I didn't do this.
Um, so, and this can't be true.
So since then, his family haslaunched a gofundme account
because he doesn't have a joband has lost probably all of his
employment and probably needsto get a new career, because
(03:44):
once you do this, it's prettyhard to go find employment doing
what you're doing.
So Mr Van Andel is struggling,and so is Mr Kramer now as he's
in prison, breaking big rocksinto little rocks.
So it'll be interesting to seehow this all plays out.
Mr Kramer, he did plead guiltyto federal charges of unlawfully
accessing a computer andthreatening to damage protected
systems.
Now they did threaten todestroy, to.
(04:07):
Really, if they didn't get paidthe ransom, he was going to
release the documents, which hedid, and therefore that's kind
of how I think, part of how theyfound him.
But at the end of the day,people I'm sorry if there's
people that are that stupid togo out and do stuff like this
this is just bad.
And if you're downloading stuffoff GitHub buyer beware this is
just bad.
And if you're downloading stuffoff github, buyer beware.
(04:27):
You don't know what you'regetting.
And especially now with the ai,whatever this ai artwork that
was created, um was enough totempt him into downloading it
and who knows what's in it.
So this is where we talk aboutthis.
If it's too good to be true, itprobably is, and so you need to
be very careful.
So you could.
This is a really good analogyof also how to help train your
employees.
You could take an article likethis and security awareness and
(04:48):
train and teach your employeeson the dangers of gathering
information.
You know malicious software now, especially since it's AI laced
out there on the web.
So something to consider again,man, please, guilty to using
malicious AI software to hackDisney employee.
So go check it out.
(05:08):
I think you probably enjoy itand use it as a training
opportunity.
Okay, so let's go on and let'stalk about some of the questions
for today.
Okay, again, these arequestions based on domain two of
the CISSP and let's move on andsee what we've got.
Question one your organizationstores sensitive documents in a
content management system, whilethe documents themselves are
(05:29):
protected with strong accesscontrols.
A recent internal auditrevealed that the metadata
associated with these documents,ie the author, creation date,
revision history, etc.
Contains information that couldbe exploited by attackers to
understand the organizationalstructure and, potentially,
project timelines.
What is the most, again, mosteffective way for a long-term
(05:50):
strategy to mitigate thismetadata exposure risk?
A implement stricter accesscontrols on metadata fields with
the content management system.
B regularly train users on therisks associated with metadata
and instruct them to be cautiouswhen creating documents.
C implement automated tools andprocess to sanitize or redact
(06:11):
the sensitive metadata upondocument creation or export.
Or.
D migrate or migrate allsensitive documents to a more
secure air gap storage solution.
Okay, so which is the mosteffective long-term strategy to
mitigate metadata exposure risk?
And the answer is c implementautomated tools and processes to
sanitize, redact or sensitivemetadata upon creation or export
(06:35):
.
So, again, adding more strictercontrols that's fine, but that
can also break things, and youadding the more controls doesn't
really necessarily help.
You Regularly train users.
That's an important part, butagain, that's not the most
effective, because users willmake mistakes and then migrate
all sensitive documents to amore secure air gap solution.
Yeah, that would be more secure, but it wouldn't be the most
(06:57):
effective long-term strategy.
Again, implementing any sort ofautomated tools to help
sanitize or redact these wouldbe the most important, the most
important thing you shouldprobably consider at this point.
One thing to also think aboutwith that, though, is, once you
put these tools in place, do notconsider, set and forget.
You need to go back and verifythat they're actually doing what
you want them to be doing.
(07:18):
Question two your organizationutilizes a virtualized server
environment where multipledepartments share the same
physical hardware.
One department processes highlysensitive financial data, while
the others handle lesssensitive information.
You can kind of see this iswhere it's going.
What is the most criticalcontrol to implement to prevent
data contamination orunauthorized access between
environments?
A Dedicate physical hardwareexclusively to the department
(07:41):
processing highly sensitivefinancial data.
B Implement strong localseparation using VLANs and
access controls.
C Rely on hypervisor built-insecurity features to isolate
virtual machines.
Or.
D implement robust encryptionand application level for all
sensitive financial transactions.
So each of these are very goodright.
They're all something that youmay want to consider.
(08:01):
However, dedicated physicalhardware will provide the
strongest guarantee of isolationand it does prevent any data
contamination.
So, again, separate systems arean important part, but the most
critical control.
So if you're trying to dealwith hardware issues and you
want to make sure that it'ssegregated, even though you have
VLANs and ACLs can be put inplace, the best guarantee would
(08:24):
be to have dedicated physicalhardware.
Question three your organizationoperates globally and is
subject to data sovereignty lawsin multiple jurisdictions.
You receive a legal holdrequest from the US headquarters
requiring preservation of allelectronic communications of
specific employees.
This includes those stored inyour Germany subsidiary.
Germans' data privacy laws havestrict limitations on
(08:46):
transferring personal data outof the country and require the
most specific legaljustification for such transfers
.
What is the most legally soundapproach to handle this kind of
situation?
A Immediately transfer allemployee communications to the
US.
B Inform the US legal teamabout the German data privacy
restrictions and refuse totransfer the data.
C Anonymize the employees'communications in Germany before
(09:09):
transferring them to the UnitedStates.
Or D engage with legal counselin both the US and Germany to
determine a legal permissiblescope of data preservation and
transfer, potentially involvingon-site review or anonymization
techniques.
Lots of words, but it's a reallygood one.
It's a good question.
People might bite off on numberthree, right, or I should say C
anonymize the employeecommunications.
(09:30):
What we talk about on CISSP,cyber Training we've mentioned
this over and over again isengage with legal counsel.
Okay, it's imperative that youengage with legal counsel to
ensure that you have this right.
Everybody's aligned,everybody's agreement.
It's just, I can't express itenough Legal counsel is your
friend until they're not, butyou don't want to be in that
(09:51):
situation where they're not.
Question four your organizationhas contracted with a cloud
service provider to store andprocess customer data.
The contract specifies that alldata will be processed within
your country's borders to complywith local privacy regulations.
You recently received anotification that your cloud
provider is changing itsinfrastructure and will now be
processing your data in adifferent country.
(10:11):
Hmm, what is the most criticalimmediate action?
You can take A Review thecontract's terms regarding data
processing locations and legaljurisdictions and then engage
with a provider to understandthe implications and potential
remedies.
Also, bring in legal counsel.
C Accept the change if thecloud provider assures you that
the security controls are stillrobust.
(10:32):
Yeah, trust, but verify.
C immediately terminate thecontract with the cloud provider
and mitigate your data andmigrate your data to an
alternate provider.
Or D notify your customersabout the change in data privacy
or data processing location.
Obtain explicit consent.
So some of those will workright, but the most critical
immediate action would be lookat your contract terms right,
understand legal jurisdiction,engage with the provider, bring
(10:54):
in legal counsel all thosewonderful things you need to do.
That would be your mostimmediate action.
Question five your organizationhas a policy requiring physical
destruction of hard drivescontaining sensitive data.
You utilize a third-partyvendor for this specific service
.
While the vendor provides acertificate of destruction, you
want a higher level of assurance.
What additional measures wouldprovide the most robust
(11:17):
verification of the datadestruction?
So again, the third party isnuking these different hard
drives.
What would you do?
What's the most robustverification?
Verification a conduct athorough background check and
review the certification of thedestruction vendor B implement a
process where your IT staffwitnesses the destruction at the
vendor's site.
C require the vendor to providevideo recording of the entire
(11:41):
destruction process from eachbatch of hard drives.
Or D implement your ownin-house hard drive destruction
capabilities.
So the most robust would behaving your IT staff go show up
and watch these.
That would be.
B.
That is very draconian, it'svery challenging and, yeah, I
would not want to do that.
But it is your most robust toensure that something actually
(12:04):
is occurring, that your peopleare, that they're actually
destroying what they say A video.
You could say, well, I have avideo.
Well, they could use somebodyelse's hard drive so they could
be throwing something in there.
There's ways around that, butagain, most robust is sending
people to it.
Question six your organizationanonymizes large data sets
containing customer behavior forresearch purposes.
(12:26):
While you have removed directidentifiers, you are concerned
about the potential forre-identification through
linking the anonymized data withother publicly available
datasets.
What is the most critical stepin mitigating this
re-identification risk?
Again, you do ID, you identifyor you remove the identifiers,
but they're worried aboutre-identifying using publicly
(12:48):
available information.
Answer A is increase the numberof records in an anonymized
data set.
B apply differential privacytechniques to add statistical
noise to the data whilepreserving the overall trends.
C only share the anonymizeddata with trusted research
partners.
Or D regularly review andupdate your anonymization
(13:17):
techniques based on the latestresearch on re-identification
risks.
And the answer is B applydifferential privacy techniques.
Now, these are designed tolimit the ability to re-identify
individuals in a data set andthey add statistical noise to
help kind of basically hide that.
The results I don't know.
I've heard of this.
I've never dealt with it myself.
It could be useful.
So if you really are worriedabout it and you were
substantially worried aboutre-identification, you may want
(13:38):
to research this and see ifthat's an option for you.
Question seven your organizationhas developed a mobile
application that accesses anddisplays sensitive customer
account information.
To improve the performance, theapplication caches some of its
data locally on the user'sdevice.
Okay, that's interesting.
What is the most criticalsecurity control to implement
(14:00):
regarding this cached data?
So it's caching it, so thatshould be something that would
be a bit of a flag for you.
A rely on the device's built-inoperating system security
features to protect the cacheddata.
B implement strong encryptionfor all data cache locally on
the mobile devices.
C require users to get strongpasswords or biometric
authentication on their mobiledevices.
Or D minimize the amount ofsensitive data cached locally
(14:23):
and limit the duration for whichit is stored.
Those are all really good,right.
A lot of them can be veryvaluable.
The most critical securitycontrol will be to limit the
amount of data at all you wantto just, if it's got to be
stored, limit it and the amountof time that it's on that system
to increase the performance.
And then you really need to askyourself is it really truly
increasing the performance?
(14:43):
Question eight your organizationcollects various data points
about its customers.
While each individual datapoint might be considered
sensitive, you plan to aggregatethis data for advanced
analytics.
You big $10 words there.
What is the most importantconsideration regarding
information handling and privacybefore proceeding with this
data aggregation?
So again, you have data printsthat are there that are
(15:05):
considered sensitive.
You plan to aggregate this data, put it all together for some
sort of analytics.
What is the most importantconsideration regarding this
information handling and privacy?
A ensure that all individualdata points are encrypted at
rest and in transit.
B review the data elementsbeing aggregated to identify any
potential for revealingsensitive information or
patterns.
And then that could lead tosome sort of de-anonymization
(15:27):
information or patterns, andthen that could lead to some
sort of de-anonymization.
C obtain broad consent ofcustomers for the collection and
use of their data for anypurpose, including aggregation.
And then D limit access toaggregated data to only a small
team of data scientists.
So the most importantconsideration would be B review
the data elements beingaggregated to identify any
(15:47):
potential or revealing sensitiveinferences or patterns.
Again, you want to just lookingat the data is important and
understanding about it andasking yourself what happens if
this data gets out.
Those are really key questionsyou need to ask yourself on any
time you're dealing with somesort of data aspects.
Question nine your organizationheavily relies on open source
software components in acritical application.
(16:09):
What is the most importantaspect of this asset management
specific to these OSS componentsfrom an information handling
and security perspective?
So you've got a lot of opensource stuff right.
What's the most importantsecurity aspect of the asset
management?
All right, a tracking theversion numbers and patch status
of all OSS components, which isyour open source software.
(16:30):
B ensuring that the open sourcesoftware licenses are
compatible with yourorganization's usage and
distribution requirements.
C regularly scanning these opensource components for known
capabilities and prompting andapplying necessary patches.
Or D maintaining an inventoryof all open source components
used in their, including theirorigins, licenses and known
(16:50):
vulnerabilities.
Okay, so the most importantaspect would be you need to know
what you got in yourenvironment, which means you
need to understand thecomponents, the various open
source aspects of it.
All those other areas areimportant, right.
So having your own patch status, all of those pieces can add
value, but the most importantthing is understanding what's
actually in your environmentversus not knowing it.
(17:11):
Question 10 your organizationoperates in a country with
strict data sovereignty laws.
You utilize a cloud-basedbackup service, which is the
most critical requirement foryour backup strategy when
complying with these laws.
So you have a cloud-basedbackup and you have sovereignty
laws to deal with.
A ensure the backup data isencrypted both in transit and in
rest.
B verify the cloud backupprovider has strong security
(17:32):
certifications.
C confirm that the backup datais stored and remains within the
borders of your country.
And then, d implementmulti-factor authentication for
accessing the backup service.
And the answer is C confirmthat the backup data is stored
and remains within the bordersof your country.
So all these other areas areimportant.
Encryption, certifications areall good, but you still need to
(17:54):
understand where, if you'redealing with data sovereignty
laws, where is the data stored?
And you need to confirm thatwith the provider.
Question 11 your organizationhas a policy prohibiting
employees from sharing sensitivecompany information on social
media Good point.
However, you observe employeesdiscussing general project
details and, when combined,could potentially reveal
(18:15):
sensitive insights into yourorganization.
What is the most effectivelong-term approach to mitigate
this risk?
You call you fire everybody.
No, that's not the mosteffective.
A provide a comprehensivetraining for employees on the
risks of inadvertent informationdisclosure in social media.
And then they introduced themto Sean, who was Vanessa.
No, I was Jennifer.
I was a Jennifer.
That's what I was.
(18:35):
B implement monitoring toolsand track employees on social
media activity and flagpotential violations A lot of
work.
C block employees' access toall social media platforms and
company networks Probably notgoing to happen.
Or D implement strictnon-disclosure agreements that
explicitly cover social mediaactivities.
That's not a bad idea, but themost effective would be provide
a comprehensive training withemployees on inadvertent
(18:57):
information disclosure and thenI would tag that with having an
NDA covering these social mediaactivities.
Question 12, your organizationcollects a wide range of
customer data.
You plan to use this data forvarious analytical purposes.
What is the most importantprinciple of information
handling to apply beforecommencing these analytics?
So, a wide range of customerdata.
(19:17):
You're going to do someanalytics.
What's the most importantprinciple for information
handling?
A Encrypt all the data at restin transit Good idea.
B Implement data minimizationby only retaining, processing
the data that is strictlynecessary for the specific
analytic goals.
C obtain broad consent for allpotential future uses of
collected data.
Or D pseudonymize yeah, I knowit's, I can never say that word
(19:41):
all personal identifiable or PIIdata in the data set.
So you anonymize it right,basically?
And the answer is B implementdata minimization by only
retaining and processing thedata that is strictly necessary
for specific analytic goals.
Question 13, your organizationexperiences a data breach
involving customer PII and PII.
(20:03):
I had a compliance person tellme that's not really a term
anymore and it's probably true,but we're using it.
Pii your internal incidentresponse plan mandates that you
notify customers within 60 days.
However, a new regulationspecifically jurisdiction where
some of your most effectivecustomers reside requires a
notification within 72 hours.
(20:24):
That sounds pretty standard.
What is the most compliantapproach to handle this
notification?
A follow your internal policyand notify all customers within
60 days.
B follow stricter regulationrequirements and notify the
affected customers in thatspecific jurisdiction within 72
hours and others within 60 days.
C delay notification until youhave a complete understanding of
(20:44):
the breach impact and avoidproviding inaccurate information
.
Or D notify all affectedcustomers globally within 72
hours to adhere to the moststringent requirement.
Okay, so what I would do againis D is the right answer.
Right?
You want to go to the moststringent.
However, if you didn't have agood read from your legal team
and something happened, rightwhen this thing came down at a
(21:06):
minimum, I would do the 72 hoursand then you potentially could
tell everybody else within 60days.
But it's just easier to just do72 hours and make it for
everyone.
So just something to considerat that point.
Question 14.
Your development team has useda cloud-based environment to
build and test applications thatwill eventually handle
sensitive production data.
This development environmentcurrently has weaker security
(21:28):
controls than your productionenvironment.
What is the most criticalinformation handling
requirements to implement forthis development environment?
Okay, so, most criticalinformation handling
requirements for a developmentenvironment A prohibit the use
of any real production data inthe development environment.
Use only synthetic oranonymized test data okay.
Isolate b would be isolate thedevelopment environment on a
(21:51):
separate network, a segment withrestricted access.
C mandate the use of strongpasswords for development
accounts.
Or.
D implement regularvulnerability scanning of the
development environment.
So the most criticalinformation handling would be to
prohibit the use of any realproduction data in the
development environment, useonly synthetic or made up data.
We'll say, though, sometimesthat not work and you have to
(22:11):
bring in real data, so you needto have a good plan on how
you're going to manage the realdata.
Last question your organizationwants to share a large data set
containing de-identified patientinformation with research
institution for a medical study.
What is the most criticalelement to include in the data
sharing agreement to ensureresponsible information handling
(22:34):
?
A a clause specifying thepurpose of the data sharing and
limitations on its use to thestated research objectives.
B a requirement for theresearch institute to implement
strong security controlsequivalent to your
organization's standards.
Or D a provision outlining thedata, or actually that's not, or
D it's.
Or D a provision outlining thedata, or actually that's not, or
D it's.
Or C a provision outlining dataretention and destruction
policies to be followed by theresearch institution upon
(22:56):
completion of the study, or D?
All of the above?
And the answer is D all of theabove, because each of those are
very, very good to have.
You want to have all of that.
You've got security controls,you've got data detection and
instruction, and you've gotpurpose and limitations.
Those are all really good partsand so, therefore, they are all
important.
(23:16):
Okay, I hope you all had a greatday.
Again.
Go to CISSP Cyber Training.
Look at my blog.
I've got some great stuff onthe blog.
A lot of this content goes outthere.
I've got them on YouTube.
You hear the podcast there.
You can also hear them on yourlocal podcast provider, I, apple
, spotify, whatever that mightbe, and then you can go to see
ISP cyber training and getaccess to all my content.
(23:36):
Sign up for my bronze package.
The bronze package is amazing.
You get for the least amount ofmoney possible.
You're gonna have access to getready to your self-study
program for the CISSP.
It it's a no-brainer.
It truly, truly is.
It's an awesome program.
The Blueprint will help youstep-by-step on getting ready
for the CISSP.
You can't go wrong with it.
(23:57):
You just truly can.
Okay, hope you all have a greatday and we will catch you all
on the flip side, see ya.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com